Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Financial Real-Time Threats: Impacting Trading Floor Operations

Dr Yiannis PavlosoglouOWASP Project LeaderInformation Risk Managementyiannis@irmplc.com

September 6th, 2007

2OWASP

Outline

Background Motivation Architecture Findings Scenario Conclusions

3OWASP

Background

PhD in Information SecurityEmergence in Designing Routing Protocols

UK Security ScientistDefCon 2007, IEEE, IEE, BCS, CISSP

Java Developer Background J2SE, JEE

OWASP Project Leader JBroFuzz

Employer: Information Risk Management, UKwww.irmplc.com

4OWASP

Motivation

“the cash desk, the derivatives desk, the program desk … bring them all together”

“ Do you have trading technology that allows you to trade across every asset in every country? ”

“Our traders can trade across multiple asset classes simultaneously”

“We offer you the ability to trade from your PDA”

How long can you be out of the market for?

5OWASP

Motivation

How long can you be out of the market for?

Regulatory requirements

Business loss opportunities

Liability issues regarding prices

Increase in number of people on the floor

6OWASP

The Freakonomics of Security and Personel Scenario: Member of Staff A, holds a

password of ‘operational importance’ Technical Attack Approach

Password is stored in the form of a 128 bit hashThe cost of obtaining the hash would require an insider’s presenceTo check for a single value would cost: $0.00000000001To check for more than half of the values: ≈$ 184 million

Human Attack Approach

Clerical A Staff Salary pays: $ 40 K / YearA successful career of, say 25 yearsTotal Earnings: ≈ $ 1 million

…

7OWASP

Trading Floor Security Testing Architecture

8OWASP

Trading Floor Security Testing Architecture

Penetration TestApplication Security TestSoftware Product ReviewApplication Architecture Assessment

Console Audit TestApplication AssessmentNetwork Assessment

Secure Development TrainingApplication AssessmentNetwork AssessmentVPN / RAS Test

Firewall ReviewVPN / RAS TestMessaging System Audit

9OWASP

Typical Assessment Findings

10OWASP

Scenario

Operational System

Risk Assessment Initiated

Initial Internal Assessment

External Penetration Test

11OWASP

Scenario Results

External Penetration TestA1: Cross Site ScriptingA2: Cross Site Request ForgeryA4: Web Application DoSA7: Weak Session CookiesA9: Insecure Communications

Final Risk Assessment

A1: Non Internet Facing Application A2: Scarce Data Manipulation Attacks A4: Application recovers successfullyA7: Users not technical enough A9: Internal Switched Network

Fun and Profit Enterprise Attack

A4: Cause a Web Denial of ServiceA1: Mass Internal Phishing Email A2: Manipulate Data being on the flyA7: Hijack administrator’s data A9: Bounce data off mail gateway

12OWASP

Conclusions

Complex “Enterprise Level” applications will experience “Enterprise Level” attacks

An application, subsystem or component must be able to withstand a targeted specialized attack

Simplicity is key for a Secure System Implementation